Multi-Samba4 DC Domain With Replication/DNS Issues
Matthieu Patou
mat at samba.org
Sat Dec 3 06:29:58 MST 2011
Hello Ted,
On 02/12/2011 19:44, Ted Salmon wrote:
> Hello,
> I recently setup a second AD DC in my Domain which is running in a VM. Both DCs in the domain run Samba4 Alpha 17 (Final Alpha) and were installed from the same package which I compiled. The PDC of the domain is running Bind 9.8.1 P1 with GSSAPI for Kerberos DNS updates which are working great (I've added multiple client machines and watched them replicate into the DNS). The trouble comes with replication from DC to DC. It seems the PDC replicates just fine to the other DC in the domain but replication does not work from the secondary DC back to the PDC. I noticed that the Secondary DC is also NOT in DNS so I had to add it via host entry (really ghetto). I'm not sure why it won't show up in DNS as other client machines on the domain replicate into DNS without fault. The PDC does have all failures for replication in and error out with 'WERR_BADFILE'. Also, is there a way to remove the secondary DC from the domain now that it's been joined?
> Here's what my PDC has to say about AD DCs in my domain:root at NETW1-STATS:~# ldbsearch -H /usr/var/lib/samba/private/sam.ldb objectclass=ntdsdsa objectguid --cross-ncs# record 1dn: CN=NTDS Settings,CN=NETW1-STATS,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=network,DC=localobjectGUID: 607a8cb6-c2ed-4e21-b616-576fae043d7b
> # record 2dn: CN=NTDS Settings,CN=NETW2-DEV,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=network,DC=localobjectGUID: 78398891-722d-4c85-96b4-41416e126a1c
The whole email is quite hard to read think about more spacing next time.
The thing is that in order for replication to work correctly you need a
lot of DNS records.
So it seems that you still have them, let's try to fix them.
Can you enable the debug in bind like indicated here:
http://www.matws.net/pres/sambaxp_2011/#%2816%29 it's page 16 of my
presentation at last XP.
Also check that you can get a kerberos ticket on the second dc:
kinit administrator
Then restart samba and look at the debug file, you might find
informations on why your updates from second DC are not allowed on the
first DC.
Matthieu.
--
Matthieu Patou
Samba Team
http://samba.org
More information about the samba-technical
mailing list